On Tue, May 7, 2013 at 11:20 AM, Graeme Fowler <graeme@???> wrote:
>
> I'm slightly late to the list party on this one as I've been running
> after errant racing cars all weekend, but (as I commented on the G+
> thread for this) the default configuration's RCPT ACL would reject an
> inbound email address containing backticks as being invalid.
>
> This does not absolve the "use_shell" option of its risk, but does
> mitigate it somewhat.
>
Not really, if the shell handling is POSIX compliant, then command
substitution can also happen with the $() construct.
This is just as dangerous, and permits nesting of shell commands.
The characters $() are not rejected, unless I am mistaken:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_default_configuration_file.html
I have not tested if use_shell etc. permits remote code execution when this
command substitution construct is used, so I may have missed something.
--
Jan
